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(57) Abstract 

A method and apparatus for fraud control in cellular telephone systems. Call records from a switch are scanned to identify a fraudulent 
cellular phone *>ased on its behavior. An identifier, e.g., a radio frequency (RF) signatore. representative of the fraudulent phone is stored in 
a control channel editor (10) at a cell site. A database of identifiers may ccmprise a positive validation database storing the identifiers for all 
valid phones used in the cellular telephone system, or it may be a negative validation database storing the identifim for known fraudulent 
phones. A control channel editor (10) intercepts a call origination request transmitted by a phone, and a control processor (40) ccrap^es 
one or more characteristics of the phone transmitting the call origination request to the database of identifiers. The control processor (40) 
then prevents the call origination request from completing when the comparison indicates that the phone is fraudulent The call origination 
request can be prevented from completing by (I) re-routing die call to a customer service or "fraud hot line" number, (2) interrupting the 
call origination request, (3) transmitting a "hang-up- message to the phone, (4) transmitting a "hang-up" message to the cell site, or (5) 
transmitting a "tear-down" message to a switch. 
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FRAUD CONTROL IN CELLULAR TELEPHONE SYSTEMS 

BACKGROUND OF THE INVENTION 

1. Field of the Invention. 

5 This invention relates in general to radio frequency 

(RF) communication systems, and in particular, to a 
method and apparatus for fraud control in cellular 
modible radiotelephone (CMR) and personal communications 
services (PCS) systems. 

10 

2. Description of Related Art. 

Cellular telephones combine the mobility of the 
radio link and the world-wide land telephone network to 
provide a communication link to any other telephone in 
15 the world. However, as cellular phones have becqme more 
prevalent throughout the country, fraud has become a 
major problem. Cellular fraud robs service providers of 
hundreds of millions of dollars every year. Like all 
crimes, there are several varieties of cellular fraud, 
20 including "cloning." 

- Cloning fraud, which occurs when a legitimate 
subscriber's MIN/ESN combination is used for illegal 
purposes, is among the most sophisticated and difficul^^ 
7: . Often, the pirate will use 

: :25 : simple electronic devices to "capture" the legitimate 
:MIN/ESN combination during its transmission by radio 
frec[uency (RF) . In these cases, the legitimate 
subscriber often does not know fraud is being committed 
with his or her MIN/ESN combination until they receive 
30 the bill. This is currently the most popular method of 
gaining illegal access to a cellular system, because the 
legitimacy of the stolen MIN/ESN combinations makes 
cloning difficult to catch. 

There are certain steps that can be taken to prevent 
35 cloning fraud. In some instances, carriers block calls 
to certain destinations, or impose "brownouts" on call^ 
using specified MIN codes, particularly on international 
calls, that have been previously abused. Although 
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drastic, this method currently is often the only way to 
-stop cloning fraud. 

The eventual release of digital cellular phones into 
the mass market will provide another avenue for fraud. 
5 Digital phones will also be susceptible to new and 
improved criminal techniques for stealing MIN/ESN 
combinations. Thus, carriers are forced to seek other 
methods of detecting and preventing fraudulent calls. 

Several companies, including Electronic Data- Systems 
10 (EDS) and Subscriber Computing, Inc. (SCI) have 

developed anti-cloning products that analyze calling 
patterns using call records. For example, EDS' PCC 
Cloning Detection System and SCI' s Fraud Watch System > 
are designed to be interfaced with cellular switches, so 
7;15 that call information can be collected after the calls 
Y completed. These systems can be used to 

^ identify calling patterns in the cql^ 

_ _ ..^1^^^^ fraudulent usage. 

These systems typically allow operators to specify 
20 certain criteria to identify fraud* These; critieria meiy 
include niomber of calls per hour, call d.uratipns, numb^er 
of minutes used by a specific phone within a.n hour, 
number of international or toll- calls per hour, and 
calls to specific countries or MPA/NXXX codes . Operator 
25 can also identify fraudulent usage by the specific 
number dialed for those nvunbers that have been 
previously identified as a number called by fraudulent 
callers. The call records of cellular phones meeting 
any number of criteria can be viewed online or printed. 
30 Although they cannot prevent cloning fraud, such 

systems provide carriers with a method of identifying 
cloning fraud, so that losses can be tabulated. 
Unfortunately, current methods can only detect or 
monitor fraud after the caller hangs up, and provide no 
35 way to stop fraud. Thus, there is a need in the art for 
techniques that enhance the use of analyzed call 
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patterns to deny pirates the use of cellular telephone 
systems . 

SUMMARY OF THE INVENTION 
5 To overcome the limitations in the prior art 

described above, and to overcome other limitations that 
will become apparent upon reading and understanding the 
present specification, the present invention discloses a 
method and apparatus for fraud control in RF 
10 communications systems, and cellular telephone systems 
in particular. Call records are scanned to identify a 
fraudulent cellular phone based on its behavior. Aii 
identifier, for example, an RF signature, repr^sentat4-ve 
of the fraudulent cellular phone is stored in fraud 
15 control equipment located at a cell site. A database of 
identifiers may comprise a positive validation database 
storing the identifiers for all valid cellular phones^ 
used in the cellular telephone system, or it may be a 
negative validation database s tor i^^ identi 
20 known fraudulent cellular phones . A control channel; 

editor intercepts a call origination request transmitted 
from a cellular phone to the cell site, and'^cpmpares^f 6^ 
or more characteristics of the cellular phoney 
transmitting the call origination request to the 
25 database of identifiers. The control channel editor 

then prevents the completion of the phone call when the 
comparison indicates that the cellular phone is 
fraudulent. The call origination request can be 
prevented from completing by (1) re-routing the call to 
30 a customer service or "fraud hot line" number, (2) 
interrupting the call origination request, (3) 
transmitting a "hang-up" message to the phone, (4) 
transmitting a "hang-up" message to the cell site, or 
(5) transmitting a "tear-down" message to a switch. 

35 
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BRIEF DESCRIPTION OF THE DRAWINGS 
Referring now to the drawings in which like 
reference numbers represent corresponding elements 
throughout: 

5 Figure 1 is a block diagram illustrating the 

components of the present invention; 

Figure 2 is a block diagram illustrating the 
components of the present invention including an emitter 
detect; and 

10 Figure 3 is a block diagram further illustrating th^^ 

components of the centralized fraud control ; system u^eci 
in the present invention . 

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENT 
15 In the following description of the preferred 

embodiment, reference is made to the accompanying 
drawings which form a part hereof , and in which is shown 
by _way of illustration, a specific embodiment in which 
the invention may be practiced. It is to be iinderstqpd 
2 0 that other embodiments may be used and changes may be^^^^^^^^^ 
made^: w depart^ f ^^pm the sfcoge of the pr^^ 

uinyention. 



Overview 



25 The present invention provides a method and 

apparatus for fraudulent control in controlled access 
wireless communications systems, including cellular 
mobile radiotelephone (CMR) systems, personal 
communications seirvices (PCS) systems, and specific 

30 multiuser radio (SMR) systems. The present invention 
identifies fraudulent cellular phones by past behavior 
and a unique identifier, and then denies these cellular 
phones any further use of the cellular network. The 
present invention also has application to system 

35 monitoring of cell site and subscriber phone 

performance,^ cellular phone location services, and other 
applications . 
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Figure 1 is a block diagram illustrating a component 
of the presen|: invention • A control channel editor 10 
comprises receive side components including an FM 
receiver 12, data demodulator 14, delay memory logic 16, 
5 data modulator 18 and an FM transmitter 20, and transmit 
^ side components including an FM receiver 22, data 

demodulator 24, data controller 26, data modulator 28 
and an FM transmitter 30. 

The control channel editor 10 is coupled to the RF 
10 distribution cabling from the cell site antennae 32 and 
to the cell site control channel equipment 34 . Since 
1 t^ editor 10 deals with a standard RF 

interface, it can be used with any cell site -equipment 
34 . Moreover, the operation of the control channel 
1^^ editpr 10 is transparent to cellular phpne users during: 

nozinal operation, and acts only to interrupt the 

placement of calls by fraudulent cellular phones • 
; In order to provide the level of reliability 
required in a public service system, fail-safe relays 36 
20 and 38 are prpviided to allow normal operation .of the 
: ; should a malfunction occur within 

— v: :y;thev;^ channel editor 10, If the control channels 

-^editor 10 fails in any way, the relays 36 and 38 will^be 
de-energized, so that control channel editor 10. is 
25 bypassed. 

A control processor 40 is coupled to the control 
channel editor 10 via the delay memory logic 12 and the 
data controller 26. Also coupled to the control 
processor is a call termination signal generator 42, an 
30 RF signature system 44, a switch 46, and a centralized 
fraud control system 48. 

Upon further reading of this specification, those 
skilled in the art will recognize that not all of the 
various components shown in Figure 1 are required to 
35 practice the present invention. Moreover, different 
combinations of the components from those illustrated 
herein may be used, as described in more detail below. 
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In addition, the connections between components mad^ 
modified from those illustrated herein, depeiiding on the 
method of fraud control used. 

.. . • . : . t. .. 

5 Operation ^ , ; ry. 

When a user first turns on his cellular teljephpne, 
the cellular phone scans and identifies the set ^^up; or ; ^ 
control channels being received. The cellular phone 
then selects and tunes to the strongest control channel 

10 signal, presumably from the nearest cell transmitter. 
Transmitted "busy-idle" bits inform the cellular phpnie 
of the status of the reverse signalling portion ^ (phpi>e? 
to cell site) of the control channel to prevent;; ; i ; 
simultaneous seizure by more than one cellular^ phone .= ; 

15 There are other handshake and timing checks to guard y 
against collisions between cellular phones . 

The cellular phone automatically registers with the 
cellular system when it is powered on. -At regist^^ 
the phone sends its mobile identification number (MIHV^^^^^ 

20 electronic serial number (ESN) , station class mark^ 
etc., to the cell site. Depending upon system 
procedures, registration can verify that service for rt^ie 
cellular phone is available, or that the cellular phone 
is not on a "hot list" relating to unauthorized use or 

25 stolen phones. However, unless the MIN/ESN combination 
is on the "hot list," registration will not identify 
cloning fraud. After registration, the cellular phone 
then turns -off its transmitter, although it continues to 
monitor the selected control channel for incoming calls . 

30 When a call is originated from the cellular phone, 

the subscriber enters the dialed digits of the called 
number, which are temporarily stored in the cellular 
phone, and presses the "send" key. The cellular phone 
then goes "off-hook," and scans and selects the 
35 strongest control channel. When a "busy-idle" bit 

signifies that the control channel is idle, the phone 
sends a data stream to the cell site, including its 
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identification (MIN/ESN) and the dialed digits of the : 
called number. 

In one embodiment of the present invention, the 
signalling data stream from the cellular phone is 
5 received as RF signals at the antennae 32 of the cell 
site. The RF signals are coupled from the antennae 32 
to the FM receiver 12, and then demodulated by data 
demodulator 14. At the appropriate time , the transmit 
side components of the control channel editor 10 toggle 

10 the busy/idle bit in the signalling data stream to the 
cellular phone. This "handshake" lets the cellular 
phone known that the cell site is receiving the control 
signal. The data stream is then stored at delay memory 
logic 16/ so that the call prigination request: 

15 represented thereby can be delayed if necessary until 
the identity of the cellular phone is verified. The. 
data stream is also transmitted to the control 
micrpprocessor 40, which uses one or more of a plurality 
of identification techniques to determine whether -the 

20 cellular phone is fraudulent. After the control 

microprocessor 40 completes its identif icatipn, an4 ha^^ 
deteannined that the cellular phone is not fraudulent^^^ 
tlie data stream is re-modulated by data modulator .18^^ ^t^^^ 
the same frequency and then transmitted to a control 

25 channel transceiver component (not shown) of the cell 

site equipment 34 by the FM transmitter 20. To complete 
the call set-up, the control channel transceiver 
component of the cell site equipment 34 transmits the 
voice channel assignment to the transmit side components 

30 of the control channel editor 10. The transmit side 

cpmponents of the control channel editor 10 transmit the 
voice channel assignment to the cellular phone and to 
the control processor 40. 

If the cellular phone is identified as fraudulent, 
35 then the control processor 40 and control channel editor 
10 can use one or more of a plurality of different 
methods to handle the call origination. For example. 
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one method may completely interrupt or deny the call 
set-up, so that the data stream received from the 
cellular phone is not transmitted to the control channel ^ 
transceiver of the cell site equipment 34. Another 
5 method may alter the dialed phone niimber embedded in the 
: d stream, so that the call is re-routed to a customer 
service phone number or "fraud hot line" phone number 
instead of; the phone number dialed by the user. Both of 
these methods would preferably use a f astvidentif icatipn 
10 technique in the control microprocessor 40 ^ e.g., 

identification within 0.5 seconds, so that calls are not 
adversely affected by slow call origination responseV 
Moreover, this method would require only the receive ^ 
side components of the control channel editor 10. 
15 Still another method may send release, reorder, 

maintenance, or interrupt order commands to the cellular 
phone using the transmit side components of the control 
chaxmel editor 10. While this method could be used with 
a fast identification technique, it is also readily iis^^ 
20 with slower identification techniques, e.g. , ^ 

identification within one aecond. Moreover, J th-is mpt^ 
would require both the receive side and transmit side 
components of the control channel editor 10, although 
the receive side components may only need to " tap 'V into 
25 the reverse signalling data streams and may not have = to 
delay and/or re-build the data streams. 

Yet another method may transmit a call termination 
signal to a voice channel transceiver (not shown) of the 
cell site equipment 34 using the call termination signal 
30 generator 42. The particular voice channel transceiver 
is identified by the voice channel assignment 
information provided to the control processor 40 by the 
transmit side components of the control channel editor 
10. The call termination signal generator 42 instructs 
35 the cell site equipment 34 that the user has "hung up" 
his phone, so that the cell site equipment 34 then also 
hangs up. While this method could be used with a fast 
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identification technique^ it also permits the: use of , 
slower, more complex identification techniques / ^,•9^/^^ 
identification taking more than one second. 'Moreover^ 
the call termination could occur at any point during the 
5 call, so there is no time limit for the identification 
techniques. However, the method generates call records 
that will need to be resolved during the billing cycle 
to avoid billing the valid customers for the fraiuduient 
calls . 

10 Still yet another method may transmit a call 

termination command to the switch 46 from the control 
microprocessor 40. This command would instruct the 
switch 46 to terminate the call. While thiis ;:metho|l 
could be used with a fast identification techriique, it 
15 also permits the use of slower, more complex 

identification techniques, e.g., identification takii^^^ 
more than one second. The call termination could ocdur 
at any point during the call, so there is no time limit 
for the identification techniques. Moreover , this 
20 method may only require the receive side cpmpp^ 
the control channel editor 10 for "tapping" -the 
signalling data stream from the cellular phone, and thus 
may not have to delay and/or ; re-build the data st^reams . 
However, the method generates call records that will 
25 need to be resolved during the billing cycle to avoid 
billing the valid customers for the fraudulent calls. 

The identification techniques performed by the 
control microprocessor 40 would compare the cellular 
phone placing the call against an identification 
30 database. These comparisons may be performed against a 
negative validation database (containing known 
fraudulent cellular phones) or a positive validation 
database (containing all known non- fraudulent cellular 
phones). Typically, a negative validation database 
35 would be preferred, because it would be smaller and more 
readily searched, thereby limiting the amount of time 
the comparison would require. Moreover, with the 
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negative validation database, secondary pattern data, 
such as call history, called number, call frequency, 
call time, station, class, etc, can be used to v^li^ate 
a close match. 
5 The identification techniques performed by the 

present invention can comprise one or more pf a 
plurality of different methods. For example, known : 
"cloned" MIN/ESN combinations can be denied access to. 
the cellular telephone system, although this is easily 
10 circumvented by the pirate re-programming the fraudulent 
cellular phone. Another technique would usie the MIN/ES?J 
combination to look-up one or more known station qlass 
^ :^ marks of the corresponding cellular phone , ; comparer t 

known station class marks to the station cli?LS^: ma|i:k 
15 transraitteci to the cell site by the cellular phone,, a^^^ 
deny access when a mismatch occurs. Still anotiher 
technique would . compare the dialed phone digit? to 
ffsuspect^' phone nximbers uncovered during the ^analysis^^^^^^^^^ 
: prior fraudulent cellular phone calls , and, cieny callp 
20- placed to those suspect phone numbers. 

„ : An ; identif i^ based on the ^ comparison 

of RF signatures f 03: the cellular phones coulfi^^^^^^^ 
i^ ^ ' used to identify fraudulent cellular phones . The xise ;pf 
RF signature identification is important because it 
provides a way of independently identifying the 
fraudulent phone with using the ESN or MIN. Moreover, 
the use of RF signature identification can be used 
nationally to prevent roaming fraud. 

RF Signature Identification 
Figure 2 is a block diagram further illustrating the 
components of the RF signature system 44. The RF 
signature system 44 typically comprises an FM receiver 
50 r analog-to-digital (a/D) converter 52, and a digital 
signal processor (DSP) 54. From existing antennae 32, 
the. received RF signal is sent to the FM receiver 50 
that operates in the 824 MHz to 894 MHz range and has 
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repeatable performance characteristics > including flal^ 
frequency and phase response, low phase noi^e, high , - 
dynamic range, stable amplitude, and accurate automatic 
gain control. The a/D converter 52, which converts the 
5 analog output from the FM receiver 50 into digital data, 
preferably has a minimum sample rate of 3 ^2 MHz to 
accommodate a bandwidth greater than or equal to 1.25: 
MHz. The DSP 54 performs the necessary calculations 
using the digital output of the A/D conyprtor 52 to / 
10 determine the RF signature of the cellular phofie./ The 
DSP 54 encodes measured characteristics of the cellular 
phone into a digital RF signature descriptor data , : 

streeun. '^T ; ^"'5^::. 

The control microprocessor 40 compares ./^he^ 
15 RF signature descriptor data s|tream to a dat^e^|?^^se:; of hi^RF 
signatures of known fraudulent cellular phpnes:- (negati^ 
validation) or with a database of RF signatures of al^ 
non- fraudulent cellular phones :( posit ya],idati.pnX^^.^^ 
In a positive validation databas**, the combination^ Q^^^^^ 
20 signature with the associated MIN/ESN combina 
most likely prove to be "unclpn^able.^^ 
validation database, secondary jpat:tern data ^ .such- • a^^ 
cell site, MIN/ESN combination,; :Ca11 history , ; the called, 
number, call frequency, call time, station, class , etc . , 
25 can be used to validate a close match. 

The technique of identifying an RF signature is not 
new in the art, and has been previously used in military 
and intelligence applications. An example of an 
apparatus for characterizing a radio transmitter can be 
30 found in U.S. Patent No. 5,005,210 issued April 2, 1991, 
to Ferrell, incorporated by reference herein. Other = 
exeunples include technology developed by the 
Electromagnetic Systems Laboratoiry of TRW, Inc. 
The characteristics used in creating the RF 
35 signature should be consistent over time, temperature, 
battei^r voltage, orientation, location, use of car kits, 
etc., and yet be distinctive between individual cellular 
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phones. Usually, the RF signature can be any 
unintentional modulation that is unique to the specific 
cellular phone. Because of fading due to inultipathi r 
transmissions, amplitude data will typically be 
5 distorted/ and thus the characteristics used should 
preferably comprise phase or frequency type 
characteristics that are less affected by the cellular 
environment • 

These characteristics can include, t)ut are 'not 

10 limited to, turn-pn transmitting amplitude, frequency or 
phase modulation versus time, the time between turn-on 
and onset of data, phase and frequency modulation du:pihg 
that delay/ the initial amplitude, phase and frequency- 
modulation when data transmission starts^ traLnsmissipril 

15 bit times, total times, timing jitter, rise arid fair: K 
timing, carrier turn-off time, modulation deviation^ and 
distortion, modulation phase, bit to bit modulation = 
variations, demodulation spectrum, spurious transmitter 
■ date^, -e^tC;. . ■ : j;^^):.: . 

20 Some or all of these various characteristics x:an^^^ 

^sed by the DSP 54 to create an RF signature ; uniqu% $^^ ^ 
a given cellular phone. Preferably, the DSP 54 th^ j 
condenses the selected characteristics into a digital^ ^^^^^ 
signature descriptor data stream having a compact format 

25 that is easy to transmit from place to place. For 

example, the digital RF signature descriptor data stream 
can be transmitted to a control processor 40 and 
centralized fraud control system 48 for storage and 
later inclusion into positive and negative validation 

30 databases . 

Centraliged Fraud Control System 
Figure 3 is a block diagram further illustrating the 
components of the centralized fraud control system 48. 
35 The fraud control system comprises a CPU 56, one or more 
monitors 58, a data link GO to a port of the switch 46, 
a data link 62 to the control microprocessor 40, and 
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(optionally) databases for call records 64, RF 
signatures 66/ positive validation 68 and negative 
validation 70. 

The fraud control system 48 perforins real-time data 
5 cpllection of call records from the cellular telephone 
switch 46 into a call database 64. Using a behavior 
profiling algorithm, the fraud control system 48 scans 
the call records in the database 64 and extracts recpirds 
corresponding to probable fraudulent activity i The 

10 behavior profiling algorithm identifies and flags 

specific activities represented within the different: 
fields of the call records, including t;ime, duration, 
q^ll^ dialed digits, etc. Rele^tive prpbab^ ar^ . 

assigned to the specific activities identified and 

15 f lagged within the call records. : 
Some example criteria and their relative 



probabilities are described below: 

1. . Excessive call duration threshold made by a 

: -^-— i r: V - V cellular phone w;ithin a given time f^perio^ For-: 
-20 example , more than one long duration c 

hour could re in the m 15; 

: I- T^^ points towards an al^rm; threshql-d .;, 

2. Excessive number of call attempts made by a; 
cellular phone within a given time period. For 

25 example, more than one call attempt per hour 

could result in the assignment of 15 points 
towards an alarm threshold. 

3. All domestic toll call attempts made by a 
cellular phone within a given time period. For 

30 example, each domestic toll call attempt per 

hour could result in the assignment of 13 
points towards an alarm threshold. 

4. All international toll call attempts made by a 
cellular phone within a given time period. For 

35 example, each international toll call attempt 

per hour could result in the assignment of 20 
points towards an alarm threshold. 
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5. All three-way conference calls made by a 
cellular phone within a given time period. Ppr 
example / each three-way conference call attempt 
per hour could result in the assignment of 17 

5 points towards an alarm threshold. 

6 . Excessive number of call attempts to specific 
NPA/NXXX codes made by a cellular phone within 
a given time period. For example, more than 
one call attempt per hour could result in the 

10 assignment of 15 points towards an alarm 

threshold. 

7. Any calls with identical MIN/ESN that overlap 
for more than 59 seconds. 100 points. 

8. Any calls to a known phone niamber preyip^ 

15 called by fraudulent cellular phones under th^^ 

assumption that "who you call is who you are. r 
100 points. 

9. Any calls from a cellular phone to the number 
of a known fraudulent cellular phone under the 

20 asstimption (verified by a 70% correlatipn> ^^^^^t^^ 

the cellular phone placing the call is 
fraudulent as well. 100 points. 
These criteria and associated prpbabilitie^ ajce the 
result of trial and error investigation by the Assign^^ 
25 and have been validated through experience. 

Nonetheless, those skilled in the art will rQCognizfe 
that other criteria and probabilities could be 
substituted for those described above, without departing 
from the scope of the present invention. 
30 The fraud control system 48 indexes all call records 

in the call database 64 linked to a specific MIN/ESN 
combination and the relative probabilities are 
accumulated towards an alai™ threshold. The alarm 
threshold reflects an accumulated probability within 
35 some defined period, e.g., acciunulating 100 probability 
points within one hour. The alarm threshold may be 



wo 95/01707 



PCT/US94/62503 



15 

reached immediately/ as when one call overlaps another 
with an identical MIN for more than 59 seconds. 

If the alairm threshold is reached, the MIIJ/ESN ; "^^^^^ 
combination is identified as a fraudulent cellular 
5 phone- In some cases, these identifications of 

fraudulent cellular phones are performed automatically 
by the fraud control system 48, In other cases, these 
identifications of fraudulent cellular phones are ' 
perfoimied automatically by the fraud control system 48, 
10 and then verified through the intervention of an 
operator. 

Once a fraudulent cellular phone is icientified by 
the fraud control system 48, the positive and/pr 
negative validation databases 68 and 7 0 are updat^d^^ t^^^^^ 

15 reflect the identification , The updates may include/ a^^^ 
manner of phone-specific information^ such as the RF- 
signature from the RF sigM database 66, and;t^ 

MIN/ESN cpmbinatipn, the associated station clas|s ma^^^^ 
of the phone , ^'s;uspect " dialed numbers , , etc dprpm 

20 call database 64 and/or a subscriber inf orm^ation 

database (not shown) • In addition, the local database 
used by the control microprocessor 40 is updated t^p 
prevent further access by thei fraudulent cellular, phpr^^^^ 

25 Conclusion 

This concludes the description of the preferred 
embodiment of the invention. The following paragraphs 
describe some alternative methods of accomplishing the 
same invention. 

30 In addition to cellular telephone systems, those 

skilled in the art will recognize that the present 
invention can be applied to other mobile radios, 
personal communications systems, paging systems, 
aircraft communications, satellite communications, as 

35 well any other controlled-access radio frequency 
communications systems . 
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Rather than using the specific components, and 
combinations of components described herein, those 
skilled in the art will recognize that other components 
^- 1 M of qomponents could be substituted 

.5? therefor without departs from the scope of the present 
• invention. Moreover, the connections between various 
components may be modified from those illustrated 
herein . 

Rather than using the specific methods and ptocess 
10 steps described herein, those skilled in the art will 
recognize that other methods and steps could be 
substituted therefor without departing from t;he sgppe of 
: . the: present invention . ; *} i 

In sximmary , a method land apparatus for fraud contirpl 
■15 i^^^^^ telephone system? has been described. Call 

:„ a switch are scanned to identi.fy ^ 

. -^ phone based on its behavior. An 

i^ e.g., a radio frequency (RF) signature, 

representative of the fraudulent cellular phpni^ is 
20 ; stored in a control channel editor at a celL site.. A 
-^^^■^^^^ 3^ identifiexs may comprise a positive^ ^^^^^^^^ . : 

ivalidatipn^^d^ storing the identifiers fpr all 

: • .Y subscribers; of the cellular telephone systeii|,^ or 

it may comprise a negative validation database storing 
25 the identifiers for knowmf raudulent cellular phones. A 
control channel editor intercepts a call origination 
request transmitted from a cellular phone to the cell : 
site, and a control processor compares one or more 
characteristics of the cellular phone transmitting the 
30 call origination request to the database of identifiers. 
The control processor then prevents the call origination 
request from completing when the comparison indicates 
that the cellular phone is fraudulent. The call 
origination request can be prevented from completing by 
35 (1) re-routing the call to a customer service or "fraud 
hot line" number, (2) interrupting the call origination 
request, (3) transmitting a "hang-up" message to the 
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phone, (4) transmitting a "hang-up" message to the cell 
site, or (5) transmitting a "tear-down" message to a 

switch. C ; 

The foregoing description of the preferred 
5 embodiment of the invention has been presented . for the 
purposes of illustration and description. It is not/ 
intended to be exhaustive or to limit the invention to 
the precise form disclosed. Many modifications and 
variations are possible in light of the above; teaching. 
10 It is intended that the scope of the invention be 

limited not by this detailed description, but jrather^^^ 
the claims appended hereto. 
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WHAT IS CLAIMED IS: 

1. An apparatus for preventing fraud in a 
radiotelephone system, comprising: 

(a) a control channel editor , coupled to an antenna 
at a receiving site in .the radiotelephone system^ fpr 

: receiving radio f requency ( RF ) signals from a 

radiotelephone comprising a call origination request; 
■ and- 

(b) a control processor r coupled to the cpntr^^^ 
channel editor, for comparing a characterieftic of the 
radiotelephone tp;4s tor ed identifiers when the; call 
origination request is received by the control channel 
editor, for determining whether the radiotelephone: is 
fraudulent based on the comparison, and for inteirru^ 
the call from the radiotelephone when the comparison 
indicates that the radiotelephone is fraudulent. 

2. The invention as set forth in claim 1 above, 
therein the means for interrupting compxrifiies meaM 
replacing a called number embedded in the call 
prig^ination request received by the control tphann^l 

; ^ P^edeteiroined fraud redireMCti^ / ; 

3. The invention as set forth in claim 1 above / 
wherein the means for interrupting comprises means for 
instructing the control channel editor to transmit a 
"hang-up" signalling tone to the cell site when the 
comparison indicates that the radiotelephone is 
fraudulent, so that the call is terminated. 

4. The invention as set forth in claim 1 above, 
wherein the means for interrupting comprises means for 
instructing the control channel editor to transmit a 
command to the phone when the comparison indicates that 
the radiotelephone is fraudulent, so that the call is 
terminated, wherein the command is selected from a group 
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comprising release, reorder, maintenance and intercept 
order commands. 

5. The invention as set forth in claim 1 above, 
wherein the control processor is coupled to a switch, 
and the means for interrupting comprises inea.ns for 
transmitting a "tear-down" message to the switch when 
the comparison indicates that the radiotelephone is 
fraudulent, so that the call is terminated. 

6. The invention as set forth in claini 1 above, 
wherein the control channel editor comprises : 

(1) an FM receiver, coupled to an antenna at the 
receiving site, for receiving radio frequencyi (RF) i x 
signals from the radiotelephone transmittii>gi^the ce^ir^^^^^ 
origination request and for generating analog signals 
corresponding thereto; 

(2) a data demodulator, coupled to the FM receiver, 
for converting the analog signals into jdigital: data; 

(3) delay memory logic, coupled to the data 
demodulator and the control processor , for delaying ;^ 
tranismission of the digital data; : >r 

(4 ) a data modulator, coupled to the delay memory ^ 
for converting the digital data into analog signals; and 

(5) an FH transmitter, coupled to a control channel 
transceiver at the receiving site, for receiving the 
analog signals and for transmitting radio frequency (RF) 
signals corresponding thereto to the control channel 
transceiver . 

7. The invention as set forth in claim 6 above, 
wherein the control channel editor further comprises: 

(7) an FM receiver, coupled to the control channel 
transceiver at the receiving site, for receiving radio 
frequency (RF) signals from the control channel 
transceiver and for generating analog signals 
corresponding thereto, wherein the RF signals comprise 
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supeirvisory and control transmissions to the 
radiotelephone; 

(7) a data demodulator, coupled to the FM receiver/ 
for converting the analog signals into digital data;s 

(8) a data controller, coupled to the data 
demodulator and the control processor, for transmitting 
the digital data to the control processor; 

(9) a data modulator, coupled to the data 
controller, for converting the digital data into' analog 
signals; and 

(10) an FM transmitter, coupled to the antenna at 
the receiving site, for receiving the analog signals and 
for transmitting radio frequency (RF) signals 

_ the radiotelephone. 

^ - ' 8. The invention as set forth in claim 1 abcrvre, 

further comprising: 

(c) an RF signature system, coupled to the control 
processor, for receiving a radio frequency (RF) 
transmission from the radiotelephone, and for 
characterizing the RF transmission as a digital RF 
signature substantially unique to the radiotelephone; 
and 

(d) the control processor further comprising means 
for comparing the digital RF transmission to a database 
of stored digital RF signatures to determine whether the 
radiotelephone is fraudulent. 

9. The invention as set forth in claim 8 above, 
wherein the database is a positive validation database 
comprising the digital RF signatures for all valid 
radiotelephones used in the cellular telephone system. 

10. The invention as set forth in claim 8 above, 
wherein the database is a negative validation database 
comprising the digital RF signatures for known 
fraudulent radiotelephones . 
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11, The invention as set forth in claim 8 above, 
wherein the control processor further comprises means 
for comparing secondary patterns characteristic of the 
radiotelephone to stored identifiers of the secondary 
patterns to determine whether the radiotelephone is 
fraudulent when the comparison of the digital RF 
signature indicates a close, but not exact, match, 
wherein the secondary patterns comprise o;ie or more o^ 
the following: - 

a mobile identification number (MIN) transmitted 

from the radiotelephone, 

an electronic serial number (ESN) transmitted by^^^^^t^ 

radiotelephone, 

a called number transmitted by the radiotelephone , 
a receiving site receiving the call origination 

request, 

a frequency of call origination requests receiyed 
from the radiotelephone for a specified time period, arid 

an amount of time the radiotelephone has been in use 
for a specified time period. 

12, The invention as set forth in claim il^ 
further comprising: 

(c) a fraud processor, coupled to the control 
processor and a switch, for receiving call records from 
the switch, for analyzing the call records to identify 
fraudulent phones based on the behavior described in the 
call records, and for transmitting an identifier 
representative of the fraudulent phone to the control 
processor. 

13. A method for preventing fraudulent calls in a 
controlled access radiotelephone system, comprising the 
steps of: 

(a) scanning call records from a switch to identify 
fraudulent radiotelephones based on their behavior; 
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(b) Storing an identifier for each of the fraudulent 
radiotelephones in an electronic memory, wherein the,;; 
identifier is representative of a characteristic of the 
fraudulent radiotelephone; 

(c) receiving a call origination request •transmitted 
from a radiotelephone to a cell site; 

(d) detecting the characteristic of the. 
radiotelephone transmitting the call origination 
request; 

(e) comparing the characteristic of the i 
radiotelephone transmitting the call origination reqi^es^ 
to the stored identifiers in the electronic memory; and 

(f) preventing the call origination request froin 
completing when the comparison indicates that, th^^^ 
radiotelephone transmitting the call origination r^^ 
is fraudulent. 

14. The invention as set forth in claim 13 above, 
wherein the preventing step comprises the step of re- 
routing the call origination request when the comparison 
indicates that the radiotelephone is f raudiilent ,^^ w^^ 

a called nxiniber embedded in the call originatiq^^^ 
is replaced with a predetermined fraud redirection 
number. 

15. The invention as set forth in claim 13 above, ^ 
wherein the preventing step comprises the step of 
interrupting the call origination request when the 
comparison indicates that the radiotelephone is 
fraudulent, so that the call origination is never 
completed • 

16. The invention as set forth in claim 13 above, 
wherein the preventing step comprises the step of 
transmitting a "hang-up" signalling tone to tl>e ceill. 
site when the comparison indicates that the 
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radiotelephone is fraudulent, so that the call is 
terminated. 

17. The invention as set forth in claim 13 above, 
wherein the preventing step comprises the step of 
transmitting a command to the phone, when the comparison 
indicates that the radiotelephone is fraudulent, so that 
the call is terminated, wherein the comm^ind comprises at 
least one of the commands from a group comprising 
release, reorjdei:/ ma and intercept order 

comLmands.. 

i:^ ThQ ^iXJi^^^ ^s Set f oiT th ill c X iM^rv :1 3 

wherein the preventing step comprises the step of 
transmitting a "tear-down" message to a switch when th^ 
comparison = indicates that the radiotelephone is 
f raudul^^^ so that the call is terminfited. 

r : : - J: ■ V; 1 The . invent ion as set forth in claiin 13 above, " 
7 w^ the (Characteristic is a radio freg^iency (RF)-, v 

signature, and the indicator is a digital value of the 

Z.:::^. :iR|'^^s ignatuire :\ ^ '/ \ 

j!; I;^: as set forth in claim -13 above, - 

• - w a mobile identification number 

■ 7(MIN):. 

' 2 1 • The invention as 
wher^^ identifier is 

( ESN ) . 

22. The invention as set forth in claim 13 above, 
wherein the identifier is a called number. 

23. The invention as set forth in claim 13 above, 
wherein the identifier is a station class mark. 




set forth in claim 13 above,, 
an electronic serial number 
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24. The invention as set forth in claim 13 above, 
wherein the comparing step further comprises comparing 
secondary patterns characteristic of the radiotelephone 
to stored identifiers of the secondary patterns to , 
determine whether the radiotelephone is fraudulent, when 
the comparison of the digital RF signature indicates a 
close, but not exact, match, wherein the secondary 
patterns comprise one or more of the following: 

a mobile identification number (MIN) transmitted 
from the radiotelephone, 

an electronic serial number (ESN) transmitted from 
the radiotelephone, 

a called number transmitted from the radiptelephoxi^ , 

a receiving site receiving the call origination 
request, — 

a frequency of call origination requests received 
from the radiotelephone for a specified time period, and 

an amount of time the radiotelephone has l?eeni^ 
for a specified time period. 
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(57) Abstract 

An apparatus for detecting potentially fraudulent telecommunication activity, comprising a digital computer (107); inter- 
face means (1 1 1), operatively connected to the digital computer (107), for receiving a call information record for each call involv- 
ing a particular subscriber; comparison means, operating within the digital computer (107), for comparing a parameter of the 
particular subscriber's current usage with a subscriber-specinc pattern of the particular subscriber's historical usage; and output 
means for oulputting an indication of a potentially fraudulent call based upon a result of the comparison performed by the com- 
parison means. 
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AN APPARATUS AND METHOD FOR DETECTING POTENTIALLY 
FRAUDULENT TELECOMMUNICATION ACTIVITY 

Background of the Invention 

1. Field of the Invention 
5 This invention relates to monitoring telecommunication 

systems, and more specifically, to an apparatus and method 
for detecting potentially fraudulent telecommunication 
system usage. Telecommunication systems include both 
wireless systems (e,g, , cellular telephones, satellite 

10 transmission, etc.) and systems utilizing transmission 
lines (e.g., common telephone systems). Fraudulent 

" telecommunication activity is unauthorized usage for which 

the telecommunication system owner is not paid for its 
services. 

15 2. Description of the Related Art 

Because immediate access to information has become a 
necessity in virtually all fields of endeavor — including 
business, finance and science ~ telecommunication systems 
usage, particularly for wireless telecommunication systems^ 

20 is increasing at a substantial rate. With the increase in 
overall usage, however, the incidence of fraudulent usage 
has experienced a corresponding increase* It is estimated, 
for example, that fraudulent wireless telecommunication 
system usage is responsible for losses to the wireless 

.25 telecommunication industry of $600 million each year. 

Clearly, a system for detecting and preventing such 
fraudulent activity would be highly desirable. 

Fraudulent telecommunication activity , which may 
occur both in wireless and common telephone systems, has 
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several different varieties. Among these varieties are 
cloning fraud, tumbling fraud, tumbling-clone fraud, 
calling card fraud, and subscriber fraud. 

Cloning fraud, which occurs in cellular telephone 
5 systems, involves the misappropriation of a valid set of 
subscriber identification numbers (ID) , programming the ID 
into one or more cellular telephones, and then using the 
"cloned" cellular telephones to place calls which are 
billed to the subscriber whose ID was misappropriated. 

10 Tumbling fraud involves placing cellular telephone 

calls using a different randomly generated subscriber ID 
for each telephone call placed. Under cert^^^ 

circumstances no pre-call verification of the ID number is 
performed before the call is connected. Therefore, a 

15 fraudulent user may place calls even without possessipn of 
a valid subscriber ID. In this way, for example, 50 
fraudulent calls placed by a single fraudulent user will be 
^ b 50 different subscriber IDs, most of which' will 

be unassigned and unbillable, rather than to a single 

2 0 subscriber as in the case of cloning fraud. 

Tumbling-Clone fraud, as the name suggests, is a 
hybrid of tumbling fraud and cloning fraud which involves 
placing cellular telephone calls using a plurality of 
cloned subscriber IDs. For example, a tumbling-clone 

25 cellular telephone may have a sequence of 10 different 
cloned subscriber IDs programmed into it. With each 
successive call placed by the fraudulent user, the cellular 
telephone would use the cloned subscriber ID next in 
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sequence to initiate the call. In this way, the fraudulent 
calls would equally be dispersed over 10 different 
subscriber IDs, consequently making the fraudulent activity 
more difficult to detect. 

Calling card fraud involves the misappropriation of a 
valid calling card number and then using the 
misappropriated number to place toll calls which' are billed 
to an unsuspecting subscriber. 

Subscriber fraud, which may occur in either cellular 
telephone or common telephone systems, involves fraudulent 
usage by an otherwise legitimate subscriber. Typically, 
this type of fraud is experienced when a sxibscriber signs 
up for telecommunication services, either cellular or 
calling card, and proceeds to use the telecoinmunioation 
services with no intent of ever paying for the services 
provided. A user practicing subscriber fraud would 
continue to use the services without paying until system 
access was blocked by the service provider* 

Although a number of prior fraud detection and 
prevention systems have been suggested, all have proved 
inadequate for various reasons. One proposed solution 
involves setting a predetermined ntimber as a system-wide 
threshold for the number of cellular calls that may be 
placed by an individual subscriber in one day; when the 
i predetermined number is exceeded, the method indicates that 
fraud has occurred. The system-wide threshold method, 
however, has several drawbacks. For example, this method 
applies the same threshold to every user. Typically, a 
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high-volxime subscriber such as a stockbroker may ; regularly 
place a large voluiae of calls each day in the normal course 
of business, whereas a low-volume subscriber who maintains 
a cellular telephone primarily for emergency usage may only 
5 place a few calls each week. The system-wide threshold 
method would be inadequate for each of these users, because 
it would generate a false aleirt for the high-volume 
subscriber who happens to legitimately exceed the threshold 
on a given day, while, incorrectly, no alert would be 
10 generated for the fraudulent use of the lowr-volume 
subscriber ID, as long as the threshold was not exceeded. 
Moreover, the system-wide threshold method is easily 
defeated by a fraudulent user who is aware of the 
predeteinnined threshold and takes care to limit the nuinber 
1,5 of fraudulent calls placed to a nuitdDer 
..;r,:.t;hreshold.. ■ 

^ ^ Another method, referred to as "call jiumJperi^ 

been proposed to detect fraudulent cellular telephone 
calls, wherein a predetermined sequence of numbers is 
20 assigned to each cellular telephone unit within the network 
and, with each successive call placed, the next number in 
sequence is transmitted by the cellular telephone unit to 
the service provider station and recorded in the order 
received. When the call records are processed, if any call 
25 sequence number occurs more than once, or if the call 
sequence numbers are out of order, fraud or malfunction is 
indicated and the cause must be investigated. This method, 
however, has the disadvantage, inter alia, of requiring 
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that the cellular telephone unit be modified to include 
additional equipment to generate and transmit . the 
predeteirmined sequence of numbers. Consequently, the "call 
numbering" method is incompatible with the large majority 

_ 5. of existing telecommunication equipment that has not been 

modified. 

Moreover, the call numbering method is unreliable. It 
has been found that the call number sequence may become 
disordered through normal legitimate use, by events such as 

10 early termination of the call or power failure, thereby 
resulting in false alerts, 
r 1. J. Therefore, a system which reliably and accurately 

indicates the possibility of fraudulent telecommunication 
activity, but which is flexible enough to permit legitimate 

15 use by a wide variety of subscribers , and which is 
compatible with all types of existing telecQmmunication 
equipment is needed. 

Summary of the Invention 

It is an object of the present invention to provide a 
method and apparatus for detecting potentially fraudulent 
telecommunication activity by comparing current usage for 
a particular subscriber ID or calling card nximber with the 
particular subscriber's historical pattern of usage. If 
current usage for that ID or calling card number indicates 
a deviation in the historical pattern of usage by the 
subscriber, a potential fraud is indicated. 
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In one embodiment of the invention, :th^ particular 
subscriber's usage is analyzed to determine parameters such 
as call duration (the average length in time of. a call) , 
call velocity (the number of calls placed vrithin a 
5 specified time period), and call thresholds (the highest 
number of calls placed by the subscriber within a specified 
time period) . One or more of these paraiaeters then 
compared to the particular subscriber's histor^ical pattern 
of usage* If there is abnormal usage reJ^aitiye to. the 
10 subscriber's historical pattern of usage, a^ptential *f 
is indicated. 

In one embodiment a particular subscriber's u^age is 
characterized as a plurality of moving, averages, each 
calculated over a different specified number of days,, which 

15 are then compared to each other to dejterminQ/ a 
significant deviation in usage has occyirredv;^ 
significant deviation in usage is detected, a potejitial 
fraud is indicated. 

In another embodiment, a significant deviation in 

2 0 usage is indicated when both of the following . two 
conditions are satisfied: (1) a moving average calculated 
over a shorter number of days is greater than a moving 
average calculated over a longer number of days; anfi (2) 
the percentage increase between a moving average calculated 

25 on day (t) and the same moving average calculated on the 
prior day (t-1) exceeds a predetermined amount. 

It is a fui^ther object of the present invention to 
provide a method and apparatus for detecting potentially 



V 
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fraudulent telecoinmunication activity by detecting an 
occurrence of overlapping calls. Overlapping calls are two 
or more calls which either (1) occur concurrently, or (2) 
are placed from different geographic regions and occur 
5 within a sufficiently short time interval such that it 
would be improbable that a single subscriber could place 
the first call and then travel to the location of the 
second call within the given time interval to place the 
second call. Because each unique subscriber ID or calling 
10 card number ma.y typically only be used by a single 
subscriber from a single location at one time, fraud is 
indicated upon occurrence of either or both of these two 
conditions. 

In one embodiment , the fraud detection apparatus looks 
15 at each call made by a particular subscriber to determine 
whether any two calls using the same siibscriber ID or 
calling card number occurred substantially concurrently • 

In another embodiment , the fraud detection apparatus 
adjusts each call for geographic dispersion to determine if 
20 two pr more calls were placed using the same subscriber ID 
or calling card number from different geographic locations 
within a sufficiently short time interval such that travel 
between the two geographic locations within the given time 
intearval is improbable. 
25 It is a further object of the present invention to 

provide a method and apparatus for detecting potentially 
fraudulent telecommunication activity by comparing the 
particular subscriber's present telecoitOQunication usage 
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with a predetermined call destination.. If "the 

predetermined subscriber-specific condition is satisfied, 
fraud is indicated. 

In one embodiment, each number called using a 
5 particular subscriber ID or calling card number, isf compared 
to a predetermined list of numbers suspected of frequently 
being called by fraudulent users. 

In a further embodiment, each country called using a 
particular subscriber ID or calling card number is coinpared 
10 to a predetermined list of countries suspected of 
frequently being called by fraudulent users* 

Several of the above-mentioned objects are achieved by 
an apparatus comprising a digital computer ; if^'^^^^f^^® means 
for receiving a call infoirmation record fpr each .call 
15 involving a particular subscriber; comparison mean^ for 
comparing the particular subscriber ' s current usage with a 
subscriber-specific historical pattern of usage; and output 
means for outputting an alert-state to signal a potentially 
fraudulent call based upon a result of the comparison 
20 perfoirmed by the comparison means. 

These and other features of the present invention will 
become evident from the detailed description set forth 
hereafter with reference to the accompanying drawings. 



Brief Description of Drawings 
25 A more complete understanding of the invention can be 

had by referring to the detailed description of the 
invention and the drawings in which: 
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FIG. lA is a diagram illustrating a typical cellular 
telecommunications network. 

FIG. IB is a block diagram of a telecommunications 
fraud detection system according to one embodiment of the 
5 present invention, 

FIG. 2 is a block diagram showing the componentis : of a 
Common Call Format (CCF) record according to one- embodiment 
of the present invention. 

FIGS. 3Ar3L are flowcharts of the Event Mianager. 
10 procedure. 

FIGS. 4A-^4L are flowcharts of the Alert Manager 
procedure. 

FIGS. 5A-5C are flowcharts of the User Interface 
/procedure-. ' - ■ 
15 FIG. 6 is a screen display of the Logii^r Window 'of the 

User: Interf ace in one - embodiment of the pres^ent invent ioi> . 

FIG. 7 is a screen display of the Control Window pf 
the User Interface in one embodiment of the present 
invention. 

20 FIG. 8 is a screen display of the Investigate 

Subscriber Window of the User Interface in one embodiment 

of the present invention. 

FIG. 9 is a graph showing call velocity fluctuations 

for a typical cloning fraud user. 
25 FIG. 10 is a screen display of the Monitor New SID(s) 

Window of the User Interface in one embodiment of the 

present invention. 
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FIG. 11 is a screen display of the Monitor Alerts 

Window of the User interface in one embodiment of the 

present invention. 

Detailed Description of the Invention 
5 A detailed description of an apparatus and method for 

detecting potentially fraudulent telecommunications 
activity, is set forth below with reference to the figures. 

A diagram illustrating a typical cellular 
telecommunications network is illustrated in FIG* lA. 

;ia Referring to FIG. lA, each predetermined fixed geographic 

region is served by a separate Mobile Switching Center 
(MSG) . Additionally, each MSG region may comprise orie pr 
more cells, wherein each cell is served by its own base 
station connected to the MSG for that region. In FIG. lA, 
Oi5^ by a first MSG 101 while Region , II is 

H rS^eryed by a second MSG 102 . : Region: I comprises four eel Ij^ , 
each having it^ base station 104 connected to the first 

MSG 101. Region II comprises three cells each having its 
own base station 106 connected to the second MSG 102. 
20 When a subscriber originates a call, the cellular 

telephone 103 communicates via a base station with the 
particular MSG serving that geographic region by means of 
wireless radiof requency transmission. The subscriber may 
either remain within the particular cell from which the 
2 5 call was originated or the subscriber may roam across cell 
and MSG region boundaries. For example, a cellular call 
may be originated by a subscriber in Cell A and the call 
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would be handled initially by the first MSG? 101. - However, 
because cellular telephones are mobile, the subscriber 
could travel from Cell A into Cell B during the course of 
the call. Upon crossing from Cell A into Cell B, the call 
5 would cease being handled by the first MSC 101 and may be 
picked up mid-call and handled by the second - MSC 102^ : 

Multiple MSCs are dispersed thrpughput . ttx^ pnited 

States, and much of the world, so that a subscriber may 
call from any geographic region served by a MSC. All; of 

10 the various MSCs around the world are interconnected by a 
global telecommunications network, so . v ^njbhat 

telecommunications may occur between two . pellvilar 
telephones, or between a cellular telephone and a physical 
line telephone, even if they are in different geographic 

15 regions. 

The function of a MSC is to receiy^ ^nd rpute.v 
cellular priginated calls and cellular teinninatedc 
A cellular originated call is one placed :byi a cellular 
telephone located within the MSC serving area to either 

2 0 another cellular telephone or a physical line telephone. 
A cellular terminated call is one received by a cellular 
telephone located within the MSC serving area, regardless 
if placed by a cellular or physical line telephone. 

Each subscriber's cellular telephone has its own 

25 unique ID corresponding to a set of identification numbers. 
The identification numbers comprise two individual 
identifiers — a Mobile Identification Number (MIN) , and 
(2) a Mobile Serial Number (MSN). The MIN is a ten-digit 
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number, corresponding to the ten-digit telephone niuober 
used in North America, having the format npa-nxx-xxxx, 
where npa is a three-digit area code, nxx is a three-digit 
prefix which identifies the serving switch, and xxxx is a 
5 four-digit suffix which identifies the individual 
subscriber or physical line number. The combination of the 
npa and nxx components form a number which identifies a 
subscriber's "home" MSG, At the initiation of each call, 
the cellular telephone transmits to the MSG its unique 
10 combination of MIN and MSN. For ^ach call, whether 
cellular originated or cellular terminated, each MSG 
handling the call creates a separate Gall Detail Repord 
(CDR) which contains several items of information 
describing the call and the subscriber. For example, the 
: 15^; CDR contains^ the following call information items : MIN, 
MSN, number called, call duration, call pr^gination dat^ 
.and time, country called, information ideiitifying the^-^^^ 
etc. The format of the GDR, however, is not consistent 
among the several different providers of cellular telephone 
20 service. At present, for example, at least five different 
CDR formats exist. 

As mentioned above, each individual subscriber has a 
single home MSG corresponding to the npa and nxx components 
of the subscriber's MIN. Unless a cellular subscriber has 
25 previously notified the home MSG of his or her whereabouts, 
the subscriber may only receive a cellular terminated call 
when that subscriber is within his or her home MSG region. 
In most cases, a subscriber may initiate a cellular 
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originated call, however, from any MSG region without any 
special proactive requirements, A subscriber who 

originates a cellular call from a region other than his or 
her home MSG region is referred to as a "roamer." Because 
3; only the subscriber's home MSG maintains a database of that 
subscriber's identity and status, a MSG handling a roamer 
call is unable to verify whether or not the subscriber MIN 
and MSN received, for a call are valid. ; Accordingly, for 
each roamer call handled by a MSG, the MSG records GDR 
10; information for that call and sends the inf ormatipn to a 
clearing house. The clearing house collects all: CDRs 
pertaining to a particular MSG, creates a magnetic tape ~ 
a roamer tape --containing multiple GDRs , and sends, the 
tape to the appropriate home carr 
15 FIG. IB is a block diagram of a telepommunications 

fraud detection system according to one embodiment of -the 
present invention. Initially, a general description of the 
fraud detection system 107 is provided as follows. 

The fraud detection system 107 of the present 
2 0 invention, comprising the switch interface 111, the eyent 
manager 113, the alert manager 115, and the user interface 
117, is implemented, in one embodiment, as software running 
on a digital computer, for example, a Sun Microsystems 
workstation. The digital computer includes memory means 
25 for storing computer programs and data; processing means 
for running computer programs and manipulating data; and 
input/ output means for communicating with a MSG, a system 
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operator, a magnetic tape drive (not shown) , or another 
computer (not shown). 

CDR records for both cellular originated and cellular 
terminated calls fed into a switch interface^ 111 both from 
5 the MSG 101 directly and from a roamer tape 109. After the 
switch interface 111 translates a CDR record into a Jfolnnat 
understandable to the fraud detection system lOT — ^ the CCF 
format — a CCF record is passed to the event manager 113. 
The function of the event manager 113 is to perform a 
10 number of checks to compare the present CCF record Jboth 
with past subscriber-specific usage information and with 
certain predetermined conditions to determine whethe^p^^^^^^^^^^ 
particular CCF record should trigger the event manager 113 
to generate an "event." If an event is generated by the 
15 event manager 113 it is logged to a database r--; the "^^^ 
database" — containing past events sp^epifie t 
subscriber and passed tp the alert manager 115. v^^P^^^^^S 
on the nature and quantity of past events for a particular 
subscriber, a newly received event may cause the alert 
20 manager 115 to generate an "alert" for the particular 
subscriber ID in question. Each of the alerts generated is 
stored in a database — the "alerts database" — specific 
to each subscriber. Depending upon a predetermined set of 
rules, either a single alert or a specific combination of 
25 alerts may generate an "alert-state" which is passed to the 
user interface 117 to signal the system operator 119 that 
the particular subscriber ID for which the alert-state was 
generated is suspected of being used fraudulently. Each of 
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the alert-states generated is stored in a database ~ the 
"alert-states database" — specific to each subscriber. 
The system operator 119 may then investigate a subscriber 
ID for which an alert-state was generated by looking at 
5 subscriber-specific data, a graph of the particular 
subscriber's call velocity for a given time period,: and the 
history of alerts and events which eventually trigger<ed the 
alert-state in question. Once the system operator V clears" 
an alert it will no longer be considered in deterinining 
10 whether an alert-state should be generated for a particular 
subscriber ID. 

Referring to FIG. IB, a more detailed description of 
the fraud detection system 107 is provided as follows. A 
- cellular telephone 103 communicates with a MSG 101 to place 
15 : a call either to a physical line telephone lOSf ' pr tQ 
^ cellular telephone. Additionally, = the 'cel^ 

^ t^ 103 may receive a call originated by' eitherja 

physical line telephone 105 or another eel l,ular tj^le^phra 
The MSG 101 creates a separate CDR record for each call 
20 that it handles, whether cellular originated or cellular 
terminated. Each individual MSG 101 is connected to a 
fraud detection system 107 which receives CDR records as 
input from the MSG. The GDR input read directly from the 
MSG 101 into the fraud detection system 107 corresponds to 
25 calls handled by that MSG for its home subscribers. CDR 
records not involving the MSG' s home subscribers are sent 
to a clearing house to generate roamer tapes to be sent to 
the appropriate home MSG, as discussed above. 
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Alternatively, if the fraud detection system 107 was 
interconnected to one or more "peer" fraud detection 
systems, i.e., a separate system serving a different MSG, 
after the switch interface 111 had converted the CDR 
5 records into CCF format, the fraud detection sfystem 107 
would send those CCF records corresponding to roamer calls 
to the appropriate peer fraud detection system 
corresponding to the respective home MSG of each roamer 
call. = 

10 Additionally, the fraud detection system 107 recesives 

input from a roamer tape 109 by means of a magnetic ^,t^ 
reader ( not shown) in a format referred to as the CI BE 
format. The combination of the home MSG 101 input and the 
roamer tape 109 input represents all of the call activity 

15 for a MSG'S home subscribers, regardless of the gepgraphic 
region in which the calls were originated ; or termiiiat^ 

The call information input , whether from the roamer 
tape 109 or from the home MSG Ipl, is fed into the switch 
interface 111 of the fraud detection system 107.: The 

20 function of the switch interface ill is to translate the 
various GIBER and CDR input formats into a consistent 
format — the Common Gall Format (CCF). The switch 
interface 111 is capable of accepting CDR input in any of 
the existing formats, and is easily adaptable to new^ CDR 

25 formats created in the future. Typically, a CCF record 
contains only a subset of the total information contained 
in a CDR. This subset of information corresponds to those 
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information items used during operation of the fraud 

detection system 107. 

Alternatively, in another embodiment of the present 
invention, the fraud detection system 107 may receive input 
5 from a telecommunications system other than a cellular 
telephone MSC. For example, the fraud detection system may 
receive input from a calling card system to detect calling 
card fraud merely by modifying the switch interface 111 to 
accept the data format specific to the calling card system 
10 used. 

FIG. 2 illustrates one embodiment of the present, 
^ -^^^^^^^^ i^^ the CCF Record 201 comprises sixteen 

separate fields , numbered 203 thrpugh 233. The combination 
of the npa field 203, the nxx field 205, and the xxxx field 
15 207 comprise the subscriber Is ten-digit telephone nu m ber, 
or^ MIN, as discussed above. The switch interface 111 
-separates the MIN into three components so that each may be 
separately accessed with ease. 

The MSN field 209 holds the subscriber Mobile Serial 
20 Number (MSN) which, as discussed above, is transmitted 
along with the MIN by the cellular telephone 103 to the MSG 
101 with each cellular originated call. 

The call type field 211 holds a value of "0" if this 
call was cellular originated or a value of "1" if this call 
25 was cellular terminated. 

The answer status field 213 holds a value of "0" if 
this call was not answered by the party called or a value 
of "1" if the call was answered. 
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The called number field 215 holds the number dialed by 
the cellular subscriber for this call. 

The country code field 217 holds a nuiober 
corresponding to a unique code for the particular country 
called by the cellular subscriber for this call. 

The roamer status field 219 holds a "TRUE" state if 
tlie subscriber was a "roamer" when the call was originated, 
that is, the subscriber placed the call through a MSG other 
than his or her home MSG, or a "FALSE" state if the 
subscriber placed the call from his or her home MSG* 

The sid field 221 holds a switch identifier number 
identifying the serving MSG that generated the present GDR 
record for this call. Because a subscriber may move 
between different MSG regions during the course of a single 
cellular pall, multiple MSGs may handle a single call in 
: -^successive fashion as the subscriber roams between MSG 
Accordingly, multiple GDR records may be 
generated for a single call — one for each MSG that 
handled the call. The sid field 221 identifies the MSG 
) that generated this particular GDR, even if it was not the 
MSG on which the call originated. 

The first serving MSG field 223 and the first serving 
cell field 225 identify the specific MSG and cell, 
respectively, on which the call originated. As discussed 
5 above, both the cell and the MSG which handle a call may 
change as the subscriber roams across cell and MSG region 
boundaries. Although each MSG which handles a call will 
generate a separate GDR having its own switch number in the 
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sid field 221, the first serving MSG field 223 and the 
first serving cell field 225 will remain constant for all 
CDR records pertaining to a single call. 

The orig time field 227 and the orig date field 229 
5 hold the time and date, respectively, at which the present 
call was originated. 

The call feature field 231 holds information 
indicating whether this call utilized a call ^feature,; such 
as call waiting, call forwarding, or three-way calling. 
10 Lastly, the call seconds field 23 3 holds the duration 

of the present call in seconds. 

Referring again to FIG. IB, once the switph inte;rf ace 
111 has translated the CDR or CIBER format input into a CCF 
record, it passes the CCF record to the event manager ^113 . 
15 The event manager 113 procedure is illustrated a 
flowchart in FIG. 3A. The function of the event mana<ger is 
to perform a number of checks to compare the Ypre^sen^^^ 
record both with past subscriber-specific usage information 
and with certain predetermined conditions to determine 
20 whether this particular CCF record should trig^ier an 
"event." 

Referring to FIG. 3A, the seirvices indicated by steps 
S303 through S309 are referred to as "call event" checks. 
In the call event checks the CCF record is compared to a 
25 set of predetermined conditions to determine whether or not 
an event should be generated for this CCF record. ^Call 
events are further broken down into the following event 
types: number events, country events, credit events, and 
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overlap events* Additionally, overlap events have two 
event subtypes: geographic dispersion and simultaneous 
calls. 

The services indicated by steps S3 11 through S3 21 are 
5 referred to as "pattern event" checks. In the pattern 
event checks the CCF record is used to update a plurality 
of previously compiled subscriber-specific usage patterns 
which define a particular subscriber 's typical ysage. Each 
CCF record received by the event manager is used to update 
. 10 and maintain an individual usage pattern for the particular 
subscriber to which the CCF record pertains. In pattern 

event checks the event manager will generate an event -when 

the present CCF record, when used to update the subscriber- 
specific usage pattern, causes the subscriber's usage 

,15 pattern to indicate a trend of abnoinnal usage suggests of 
fraudulent telecommunications activity* Pattern events are 

: - further broken down into the following event types: average 
events and threshold events. Additionally , average events 
have the following four subtypes: velocity, international 

20 velocity, duration, and international duration. Threshold 
events have the following six subtypes: daily velocity, 
daily international velocity, five-day average velocity, 
five-day average international velocity, ten-day average 
velocity, and ten-day average international velocity. 

25 The event manager procedure initiates at step S3 00 

when the event manager 113 receives a CCF record from the 
switch interface 111. At step S3 01 the event manager 
parses the CCF record to place the CCF component fields 
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into appropriate variables and data structures to be easily 
accessible by the event manager services. It should be 
"'noted that due to delays in creating and forwarding roamer 
tapes to the appropriate home MSG, a CCF record being 
5 processed by the fraud detection system on a particular day 
may actually correspond to a call placed several days 
earlier- Therefore, for each of the steps perfoirmed by the 
fraud detection system, as discussed below, the CCF record 
. is analyzed based on the day the call was originate^, 
^^10 rather than on the date on which the CCF record is 
processed by the fraud detection system. For the s;ake of 
convenience, the date on which a call originated will be 
referred to as the "call date," while the date on which the 
CCF record is processed by the fraud detection system .will 
15 be referred to as "today," The date on which a qall 
originated is determined by the value held by the or ig date 
field 229 of the CCF record 201, Additionally, the fraud 
detection system maintains a database of all CCF records 
received over the past predetermined number of days so that 
20 a delayed CCF record can be analyzed in connection ^with 
other calls placed on the same day. This database is 
" referred to as the "calls database." 

At step S3 02 the event manager uses the present CCF 
record to update the subscriber-specific usage patterns. 
25 Specifically, the event manager calculates new five-day and 
ten-day moving averages for each of the call velocity 
pattern, the international call velocity pattern, the call 
duration pattern, and the international call duration 
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pattern- A moving average is a technique used in time- 
series analysis to smooth a series or to determine a i trend 
in a series, calculated by the equation: 

5 m^ = S: u^ 



21 to day 25 where U2i=16, ^^2Z'^^ ' ^23^^^ ' ^24*^^ ' and Ugs" 



d 

where m„ is the moving average on day n; k is an- index 
counter; d is the number of days over which the* average is 
10 calculated and u, u^, u^ are a series , of values to be 

averaged. For example, assume a series of values ove:;? day 

=15. 

To calculate a five-day moving average on the 25th day; ^25/ 
n is equal to 25, d is equal to 5, and k takeis the 
15 successive values 21, 22, 23, 24, and 25. 
Therefore: 

1^25 = ^21_J|- ^22_J»^ ^23 + ^24^]^ j^25 

-5 '■ ■■■ 

20 =16 + 9 + 12 -h ; 8i < >h r5 ^ X 

= 12, 

Five and ten-day moving averages are calculated for each of 
25 the above-listed four patterns in similar fashion; For 
example, the five-day moving average call velocity is 
calculated by summing the number of calls originated within 
the past five days using a particular subscriber ID and 
dividing the total by five. Of course, the ten-day 
3 0 averages are calculated by summing over ten days and 
dividing by ten, rather than five. In order to calculate 
the ten-day moving average, the fraud detection system 
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saves CCF records for each particular subscriber for the 
past eleven days. 

Although this embodiment of the present invention 
characterizes subscriber-specific usage patterns by 
5 utilizing two moving averages calculated over five days and 
ten days, respectively, it should be noted that an 



alternative embodiment may utilize other - typeis of 
characterizing schemes, for example a weighted moving 



10 utilized, a different number of moving averages, for 
example one, three or more, may be used as deemed 
effective. Moreover, the moving averages may be calculated 
oyer a number of days different than five and ten, as 
desired. 

15 Next, the event manager mns the CCF record through a 

series of call event checks and pattern .event checks , 
represented by steps S3 03 through S321. , A^^ 
embodiment of the present invention arranges these checks 
in a specific order as illustrated in FIG. 3A, the checks 

2 0 are substantially order independent and may proceed in any 
convenient order. 

In the embodiment of the present invention depicted in 
FIG. 3A, the event manager performs the checks in the 
following order: (1) check suspect termination, (2) check 

25 suspect country code, (3) check credit limit, (4) check 
overlap calls, (5) check call duration pattern, (6) check 
international call duration pattern, (7) check call 
thresholds, (8) check international call thresholds, (9) 



average . 



Additionally, even if moving averages are 
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- Check call velocity pattern, and (10) check international- 
call velocity pattern. Each of these checks will be 
described in further detail below with reference to, FIGS. 
3B-3L. 

5 Referring to FIG, 3B, the Check Suspect Termination 

service S3 03 is responsible for determining whether the 
number called by the cellular subscriber is suspected of 
being called by other fraudulent cellular telephone users. 
This service receives the called number f ieldl 215; of the 
10 CCF Record 201 as an argument. 

First, at step S325, the service deterinines^^w^ 
the present call was cellular originated by examirjirig 
call type field 211 of the CCF Record 201, Becausev this 
event check is only relevant for cellular originated calls, 
15 if the present call was not cellular originatedrthe sei^ 
flows to step S337, which marks the cojaplet^^ 
Suspect Termination service. ^ J ^'/y'^/: y.- 

If the present call was cellular s^priginat^^d^^^^^ 
determined from the call type field 211, the service^ at 
20 step S327, tests whether the number called, held in the 
called number field 215, matches a number on a 
predetermined list of numbers set by the telecommunication 
service provider and maintained in a database by the fraud 
detection system 107. If no number on the list is matched 
25 the service flows to step S3 37 and this check is completed. 

If a matching number is found the service, at step 
S329, tests whether the matched number from the database 
has been flagged as "suspect." If a specif ied field in the 
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database of numbers is marked "TRUE," then the matched 
number will be determined to be suspect and the service 
will flow to step S331. Otherwise, if the specified 
database field is not marked "TRUE," then the service flows 
5 to step S3 3 7 and the check is completed. 

At step S331, it has been determined that a nximber 
called using the particular subscriber ID for this CCF 
Record is a number suspected of being called by other 
fraudulent users. Accordingly, the service generates^^^ a 
10 "suspect termination event" by recording th^ iey^nt 

"number event," along with specific information particular 

1 to; .this call in the events database f or^^^ 

subscriber ID. i 
Next, at step S333, the "event context" data strxiqture 
15 is built with information specif ic to this event. The event 
context data structure contains information including (1) 
Zi the event typ^ (^'number event") ; (2) the. event :.,^s 

this event type); (3) the sxibscriber ID nim^ 
-(cpi^iresponding to the three MIN fields 203, 205, 207 and 
20 the MSN field 209) ; (4) the call date (from the orig date 
field 229) ; and (5) the current alert-state (either normal, 
yellow, or red depending on the nature and quantity of 
alerts outstanding for this particular subscriber as 
determined by the alert manger, discussed below) . 
2 5 Next, at step S3 35, the service sends the event 

context data structure previously built at step S3 3 3 to the 
alert manager 115 to signal the alert manager that a new 
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event has been generated and to provide a reference for 

locating the newly generated event in the events dataO^ase. 

Lastly, the service flows to step S337, where the 
suspect termination check is completed and the next check 
5 in the event manager procedure is initiated. 

Referring to FIG. 3C, the Check Suspect Country Code 
service S305 is responsible for determining whether the 
country called by the cellular subscriber, as indicated by 
the country code, is suspected of being called by other 

Ip fraudulent cellular telephone users. This service receives 

the called number field 215 of the CCF Record 201 aiKi its 

related country code as arguments. 

First, at step ,S339, the service determines wheth^^ 
the present call was cellular originated by e3fcaminiiig^ 
15 call type field 211 of the CCF Record 201. Bepause this 
event check is only relevant for cellular originated Spalls, 
: :■ • ; if . the present call was not cellular originated the se^rvice 
t "flows to step S3 51, and the Check Suspect Country Code 
service is completed. 
20 If the present call was cellular originated as 

determined from the call type field 211, the seirvice, at 
step S341, tests whether the country code called matches a 
country code on a predetermined list of numbers set by the 
telecommunication service provider and maintained In a 
25 database by the fraud detection system 107. If no country 
code on the list is matched the service flows to step S3 51 
and this check is completed. 
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If a matching country code is found the service, at 
step S343, tests whether the. matched country code from the 
database has been flagged as "suspect," If a specified 
field in the database of country codes is marked "TRUE/" 
5 then the country code will be determined to be, suspect and 
the service will flow to step S345. Otherwise, if the 
specified database field is not marked "TOUE, TV then^ the 
service flows to step S351 and the check is completed. 

At step S345, it has been determined that a country 

10 called using the particular subscriber ID for this CCF 
Record is a country suspected of being ca.lled by =other 
fraudulent users. Accordingly, the service generates a 
"suspect country code event" by recording the 'even^^ 
"country event," along with specific information particular 

15 to this call in the events database for t^ particul^^^ 
subscriber ID. ; : 

Next , at step S 3 4 7 , the event context data structure 
is built with information specific to this event,- as 
discussed above. The event context data structure for this 

20 service has the event type, "country event," and no event 
subtype. 

Next, at step S349, the service sends the event 
context data structure previously built at step S347 to the 
alert manager 115 to signal the alert manager that a new 
25 event has been generated and to provide a reference for 
locating the newly generated event in the events database. 
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Lastly, the seirvice flows to step S351, where the 
suspect country code check is completed and the next check 
in the event manager procedure is initiated. 

Referring to FIG. 3D, the Check Credit Limit sejryice 
5 S307 is responsible for determining whether a particular 
subscriber has exceeded his or her specified usage limit by 
maintaining a running cumulative total usage duration for 
each subscriber and comparing the running total to a 
pr;edeterTnined value set by the telecommunication service 
10 provider. This service receives, the call seconds field 233 
from the CCF Record 201 as an argument. 

First, at step S353, the service tests whether this 
. , particular subscriber has an entry for the present month in 
thercredit limit database maintained by the fraud detection 
: ^15:^^"^^^ If: a; credit liiait entry is not found - an: 

inconsistency in the system has been ^.^^^^ an ejrror 

is logged to an error handling server and the service flows 
to instep S3 67 which marks the completion of the credit limit 
qheck . 

20 If a credit limit entry is found for this particular 

subscriber for the present month, the service flows to step 
S357 where the running monthly usage total for this 
particular subscriber is updated by adding the usage for 
the present call,; represented by the value held in the call 

25 seconds field 233, to the previous monthly usage total for 
this particular subscriber. 
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What is claimed is : 



1. 



An apparatus for detecting potentially fraudulent 



10 



15 



20 



telecommunication activity , comprising : 
a digital computer; 

interface means, operating within said digital 
computer, for receiving a call information record for each 
call involving a particular subscriber; 

pattern means, operating within said digital computer, 
for using a plurality of said call information record for 
said particular subscriber to identify a subscriber- 
specific pattern of historical call usage and relative to 
which deviations from said historical call usage can be 
detected that may be indicative of fraudulent call 
activity ; 

comparison means, operating within said digital 
computer, for comparing the particular subscriber's current 
call usage with information relating to said subscriber- 
specific pattern of historical call usage to identify 
potentially fraudulent call activity; and 

output means, operating within said digital computer, 
for outputting an indication of a potentially fraudulent 
call activity based upon a result of the comparison 
performed by said comparison means, 

2. A telecommunication fraud detection apparatus 
according to Claim 1, wherein said information relating to 
said subscriber-specific pattern of historical call usage 
includes a subscriber-specific pattern of historical call 
duration usage and said comparison means compares the 
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particular subscriber's current call duration usage with 
said subscriber-specific pattern of historical call 
duration usage. 

3. A telecommunication fraud detection apparatus 
5 according to Claim 1, wherein said information relating to 

said subscriber-specific pattern of historical call usage 
includes a subscriber-specific pattern of historical call 
velocity usage and said comparison means compares the 
particular subscriber's current call velocity usage with 
10 said subscriber-specific pattern of historical call 
velocity usage. 

4 . A telecommunication fraud detection apparatus 
according to Claim 1, wherein said information relating to 
said subscriber-specific pattern of historical call usage 

15 includes subscriber-specific call velocity thresholds and 
said comparison means compares the particular subscriber's 
current call velocity usage with said subscriber-specific 
call velocity thresholds. 

5. A telecommunication fraud detection apparatus 
20 according to Claim 1, wherein said information relating to 

said subscriber-specific pattern of historical call usage 
includes a subscriber-specific daily call velocity 
threshold and said comparison means compares the particular 
subscriber's current daily call velocity usage with" said 
25 subscriber-^specif ic daily call velocity threshold. 

6. A telecommunication fraud detection apparatus 
according to Claim 1, wherein said information relating to 
said subscriber-specific pattern of historical call usage 
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includes a subscriber-specific five-day moving average call 
velocity threshold and said comparison means compares the 
particular subscriber's current five day moving average 
call velocity usage with said subscriber-specific five-day 
5 moving average call velocity threshold. 

7 . A telecommunication fraud detection apparatus 
according to Claim 1, wherein said information relating to 
said subscriber-specific pattern of historical call usage 
includes a subscriber-specific ten-day moving average call 

10 velocity threshold and said comparison means compares the 
particular subscriber's current ten day moving average call 
usage with said subscriber-specific ten-day moving average 
call velocity threshold. 

8- A telecommunication fraud detection apparatus 

15 according to Claim 1, wherein said comparison means 
compares the particular subscriber's current usage with a 
combination of at least two of the following of said 
information relating to said subscriber-specific pattern of 
historical call usage: a subscriber-specific pattern of 

20 historical call duration usage, a subscriber-specific 
pattern of historical call velocity usage, and a 
subscriber-specific pattern of historical call velocity 
usage that includes subscriber-specific call velocity 
thresholds, 

25 9. A telecommunication fraud detection apparatus 

according to Claim 1, wherein at least one of said current 
call usage and said information relating to said 
subscriber-specific pattern of historical call usage 
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includes a moving average, and said comparison means 
performs a comparison using said moving average. 

10. A telecommunication fraud detection apparatus 
according to Claim 1, wherein at least one of said current 
5 call usage and said information relating to said 
subscriber-specific pattern of historical call usage 
includes a five-day moving average, and said- comparison 
means performs a comparison using said five-day moving 
average . 

10 11. A telecommunication fraud detection apparatus 

according to Claim 1, wherein at least one of said current 
call usage and said information relating to said 
subscriber-specific pattern of historical call usage 
includes a ten-day moving average, and said comparison 

15 means performs a comparison using said ten-day moving 
average • 

12 . A telecommunication fraud detection apparatus 
according to Claim 1, wherein at least one of said current 
call usage and said information relating to said 
20 subscriber-specific pattern of historical call usage 
includes a plurality of moving averages, and said 
comparison means performs a comparison using said plurality 
of moving averages. 



25 according to Claim 1 , wherein said current call usage 
includes a five-day moving average and said information 
relating to said subscriber-specific pattern of historical 
call usage includes a ten-day moving average, and said 



13. A telecommunication fraud detection apparatus 
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comparison means performs a comparison using said five-day 
moving average and said ten-day moving average. 

14 . A telecommunications fraud detection apparatus 
according to Claim 1, wherein said output means, in 
5 response to information provided by said comparison means 
that identifies potentially fraudulent call activity, 
decides whether or not to output an indication of a 
potentially fraudulent call according to a predetermined 
set of rules. 



according to Claim 1, wherein said pattern means further 
comprises means for characterizing the particular 
subscriber's current call usage as a first moving average 
and said subscriber-specific pattern of historical call 
usage as a second moving average, each calculated over a 
different specified number of days, wherein said comparison 
means compares the first moving average to said second 
moving average to determine if a meaningful increase in 
usage has occurred . 

16. A telecommunication fraud detection apparatus 
according to Claim 15, wherein said said second moving 
average is calculated over a greater number of days than 
said first moving average, and 

wherein said output means outputs an indication of 
potentially fraudulent call activity, when each of the 
following two conditions are satisfied: (1) the first 
moving average is greater than the second moving average; 
and (2) a percentage increase between the first moving 



15. A telecommunication fraud detection apparatus 
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average calculated on day (t) and the first moving average 
calculated on day (t-1) exceeds a predetermined amount. 

17 . A telecommunication fraud detection apparatus 
according to Claim 1, wherein said comparison means 

5 comprises means for generating an event E, wherein E is a 
velocity event, a duration event, a velocity threshold 
event . 

18. A telecommunication fraud detection apparatus 
according to Claim 1, wherein said comparison means 

10 comprises means for generating an alert A, wherein A is a 
doubling velocity alert indicating that the velocity of 
calls by said particular subscriber has doubled over a 
predetermined period, a 3-in-5 velocity alert indicating 
that three velocity-type events have occurred within a five 

15 day period that are associated with said particular 
subscriber, a doubling duration alert indicating that the 
duration of calls by said particular subscriber has doubled 
over a predetermined period, a 3-in-5 duration alert 
indicating that three duration-type events have occurred 

2 0 within a five day period that are associated with said 
particular subscriber,' a daily velocity threshold alert, a 
5-day average velocity threshold alert, a 10-day average 
velocity threshold alert. ■ 
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19 • An apparatus for detecting potentially fraudulent 
telecommunication activity, comprising: 
a digital computer; 

interface means, operating within said digital 
5 computer, for receiving a call information record for each 
call involving a particular subscriber; 

analysis means, operating within said digital 
computer, for analyzing the particular subscriber's call 
usage, based upon one or more of said call information 
10 record, to identify potentially fraudulent call activity, 
said analysis means generating or processing information in 
the course of identifying potentially fraudulent call 
activity; and 

output means, operating within said digital computer, 
15 for outputting an indication of said potentially fraudulent 
call activity based upon a result of the analysis performed 
by said analysis means, and for displaying at least some of 
said information generated during the analysis that 
identified said potentially fraudulent call activity so an 
2 0 assessment of said potentially fraudulent call activity can 
be made. 

20, A telecommunication fraud detection apparatus 
according to Claim 19, wherein said information displayed 
by said output means includes an event E, wherein E is a 
25 velocity event, a duration event, a velocity threshold 
event, a suspect number event, a suspect country event, a 
credit event, or an overlap calls event. 
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21. A telecommunication fraud detection apparatus 
according to Claim 19, wherein said information displayed 
by said output means includes an alert A, wherein A is a 
doubling velocity alert indicating that the velocity of 

5 calls by said particular subscriber has doubled over a 
predetermined period, a 3-in-5 velocity alert indicating 
that three velocity events that are associated with said 
particular subscriber have occurred within a five day 
period, a doubling duration alert indicating that the 

10 duration of calls by a subscriber has doubled over a 
predetermined period, a 3-in-5 duration alert indicating 
that three duration-type events that are associated with 
said particular subscriber have occurred within a five day 
period, a daily velocity threshold alert, a 5-day average 

15 velocity threshold alert, a 10-day average velocity 
threshold alert, a suspect number alert, a suspect country 
alert, a credit alert, or an overlap calls alert. 

22. A telecommunication fraud detection apparatus 
according to Claim 19 , wherein said information displayed 

20 by said output means includes the particular subscriber's 
status data. 

23. A telecommunication fraud detection apparatus 
according to Claim 19, wherein said information displayed 
by said output means includes a graph of the subscriber- 

25 specific pattern of usage. 
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24. A telecommunication 
according to Claim 19, wherein 
by said output means includes 
subscriber's call velocity. 




PCr/US93/10757 



fraud detection apparatus 
said information displayed 
a graph of the particular 
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25. An apparatus for detecting potentially fraudulent 
telecoBununication activity, comprising: 

a digital computer; 

interface means, operating within said digital 
5 computer, for receiving a call information record for each 
call involving a particular subscriber, said call 
information record derived from a telecommunication 
switching center that establishes connections between 
telecommunication devices; 

10 comparison means, operating within said digital 

computer, for comparing the call destination identified in 
said call information record involving the particular 
subscriber with a predetermined call destination to 
identify potentially fraudulent call activity; and 

15 output means, operating within said digital computer, 

for outputting an indication of said potentially fraudulent 
call activity based upon a result of the comparison 
performed by said comparison means. 

26. A telecommunication fraud detection apparatus 
20 according to Claim 25, wherein the predetermined call 

destination comprises a suspect termination number. 

27. A telecommunication fraud detection apparatus 
according to Claim 25, wherein the predetermined call 
destination comprises a suspect country code. 
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28. An apparatus for detecting potentially 
fraudulent telecommunication activity, comprising: 

a digital computer; 

interface means, operating within said digital 
5 computer, for receiving a call information record for each 
of at least two calls associated with a particular 
subscriber and derived from a switching center that 
establishes calls between telecommunication devices; 

detection means, operating within said digital 
10 computer, for detecting an occurrence of overlapped calls 
using said call information record for each of said at 
least two calls, said detection of overlapped calls 
indicating that calls associated with said particular 
subscriber were placed in an improbable time sequence that 
15 is indicative of potentially fraudulent call activity; and 

output means, operating within said digital computer, 
for outputting an indication of overlapped calls based upon 
a result of the analysis performed by said analysis means. 

29. A telecommunication fraud detection apparatus 
20 according to Claim 28, wherein said detection means detects 

an occurrence of overlapped calls that are substantially 
simultaneous calls . 

30. A telecommunication fraud detection apparatus 
according to Claim 28, wherein said detection means detects 

25 an occurrence of overlapped calls after consideration of 
geographic dispersion related information derived from said 
call information record for each of said at least two 
calls. 
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31, A telecommunication fraud detection apparatus 
according to Claim 28, wherein said detection means further 
comprises adjusting means for adjusting infonaation derived 
from at least one of said call information record to 

5 account for geographic dispersion between locations of said 
at least two calls • 

32. A telecommunication fraud detection apparatus 
according to Claim 28, wherein said detection means 
comprises adjusting means for adjusting information derived 

10 from at least one of said call infoirmation record to 
account for geographic dispersion using an airline formula 
that provides an estimate of the distance between the 
locations at which said at least two calls are initiated. 
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33. An apparatus for detecting potentially fraudulent 
telecommunication activity , comprising : 
a digital computer; 

interface means, operating within said digital 
5 computer, for receiving a call information record for each 
call involving a particular subscribers- 
parameter identifying means, operating within said 
digital computer, for identifying a parameter of the 
particular subscriber's current call usage based on 
10 information extracted from one or more call information 
records provided by said interface means; 

pattern identifying means, operating within said 
digital computer, for identifying a subscriber-specific 
pattern of historical call usage based on information 
15 extracted from a plurality of said call information 
records ; 

analysis means, operating within said digital 
computer, for analyzing the particular subscriber's current 
call usage to identify potentially fraudulent call 

20 activity, said analyzing means generating data in the 
course of identifying potentially fraudulent activity and 
using one or more of the following: information relating to 
the subscriber-specific pattern of historical call usage 
identified by said pattern identifying means, a value of a 

25 call destination parameter identified in a call information 
record by said parameter identifying means, or values of a 
call location parameter identified by said parameter 
identifying means; and 



wo 94/1 1959 ^ ^ PCT/US93/10757 

-104- 

output. means, operating within said digital computer, 
for outputting an indication of a potentially fraudulent 
call activity based upon a result of the analysis performed 
by said analysis means, and for displaying at least a 
5 portion of said data generated in the course of the 
analysis that identified said potentially fraudulent 
activity so an assessment thereof can be made. • 
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34. A method for detecting potentially fraudulent 
telecommunication activity, comprising the steps of: 

receiving a call information record for each call 
involving a particular subscriber; 
5 identifying a parameter of the particular subscriber's 

current usage by extracting information from one or more 
call information records; 

developing and maintaining a subscriber-specific 
historical call usage pattern by cumulatively processing 
10 information extracted from a plurality of call information 
records ; 

comparing the particular subscriber's current usage to 
the subscriber-specific historical call pattern to 
determine a deviation amount therebetween; and 
15 . outputting an indication of a potentially fraudulent 

call when the deviation amount exceeds a predetermined 
limit. 

35. A telecommunication fraud detection apparatus 
according to Claim 1, wherein said current call usage 

20 includes a first average of call usage, said information 
relating to said subscriber-specific pattern of historical 
call usage includes a second average of call usage, and 
said comparison means compares said first average of call 
usage to said second average of call usage. 

2 5 3 6. A telecommunication fraud detection apparatus 

according to Claim 1, wherein said current call usage 
includes a first average of call usage over a first period 
of time, said information relating to said subscriber- 
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specific pattern of historical call usage includes a second 
average of call usage over a second period of time that is 
different than said first predetermined period of time, and 
said comparison means compares said first average of call 
5 usage to said second average of call usage • 

37. A telecommunication fraud detection apparatus 
according to Claim 1, wherein said current call usage 
includes a first average of call usage over a first period 
of time extending from a first starting point in time, said 

10 information relating to said subscriber-specific pattern of 
historical call usage includes a second average of call 
usage, said comparison means compares said first average of 
call usage to said second average of call usage to 
determine if said first average of call usage exceeds said 

15 second average of call usage and, if so, whether said first 
average exceeds a third average over a second period of 
time extending from a second starting point in time by a 
predetermined amount, wherein said first and second periods 
of time are substantially equal, but said first starting 

20 point in time is different than said second starting point 
in time. 

38. A telecommunication fraud detection apparatus 
according to Claim 1, wherein said information relating to 
said subscriber-specific pattern of historical call usage 

25 includes information relating to a high of call usage, and 
said comparison means compares the particular subscriber's 
current call usage to said information relating to a high 
of call usage. 
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39. A telecommunication fraud detection apparatus 
according to Claim 1, wherein said information relating to 
said subscriber-specific pattern of historical call usage 
includes a threshold, said current call usage includes an 

5 average call usage over a period of time, and said 
comparison means compares said average call usage to said 
threshold. 

40, A telecommunication fraud detection apparatus 
according to Claim 1, wherein said information relating to 

10 said subscriber-specific pattern of historical call usage 
includes information relating to a high of call usage, said 
current call usage includes an average call usage over a 
period of time, and said comparison means compares said 
average call usage to said information relating to a high 

15 of call usage. 

41, A telecommunication fraud detection apparatus 
according to Claim 19 wherein said information displayed by 
said output means includes a plurality of graphs, each 
graph relating to the particular subscriber's call velocity 

20 over a particular period of time. 

42. A telecommunication fraud detection apparatus 
according to Claim 19 wherein information displayed by said 
output means includes information relating to a group of 
subscribers within a defined geographical region that 

25 includes said particular subscriber. 
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43. An apparatus for detecting potentially fraudulent 
telecominunication activity, comprising: 
a digital computers- 
interface means, operating within said digital 
computer, for receiving a call information record for each 
call involving a particular subscriber, said call 
information record derived from a switching oenter that 
establishes connections between telecommunication devices; 

analysis mean, operating within said digital computer, 
for receiving said call information record from said 
interface means and using said call information record in 
analyzing the particular subscriber's call usage to 
identify potentially fraudulent call activity; and 

output means, operating within said digital computer, 
for outputting an indication of said potentially fraudulent 
call activity. 

44. An apparatus, as claimed in Claim 43, wherein: 
said analysis means includes pattern means for using 

a plurality . of said call information record for said 
particular subscriber to develop information relating to a 
subscriber-specific pattern of historical call usage, and 
means for comparing current call usage of the particular 
subscriber to said information relating to said subscriber- 
specific pattern of historical call usage. 

45. A telecommunication fraud detection apparatus 
according to Claim 44, wherein said current call usage 
includes a first average of call usage, said infoirmation 
relating to said subscriber-specific pattern of historical 
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call usage includes a second average of call usage, and 
said comparison means compares said first average of call 
usage to said second average of call usage. 

46. A telecommunication fraud detection apparatus 
5 according to Claim 44, wherein said current call usage 

includes a first average of call usage over a first period 
of time, said information relating to a subscriber-specific 
pattern of historical call usage includes a second average 
of call usage over a second period of time that is 
0 different than said first predetermined period of time, and 
said comparison means compares said first average of call 
usage to said second average of call usage. 

47. A telecommunication fraud detection apparatus 
according to Claim 44, wherein said current call usage 

5 includes a first average of call usage over a first period 
of time that extends from a first starting point, said 
information relating to said subscriber-specific pattern of 
historical call usage includes a second average of call 
usage, and said comparison means compares said first 

0 average of call usage to said second average of call usage 
to determine if said first average of call usage exceeds 
said second average of call usage and, if so, whether said 
first average exceeds a third average of call usage that 
extends over a second period of time extending from a 

5 second starting point by a predetermined amount, wherein 
said first and second periods of time are substantially 
equal, but said first starting point in time is different 
from said second starting point in time. 
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48. A telecommunication fraud detection apparatus 
according to Claim 44, wherein said information relating to 
said subscriber-specific pattern of historical call usage 
includes information relating to a high of call usage, and 
said comparison means compares the particular subscriber's 
current call usage to said information relating to a high 



of call usage. 

49. A telecommunication fraud detection apparatus 
according to Claim 44, wherein said information relating to 
said subscriber-specific pattern of historical call usage 
includes a threshold, said current call usage includes an 
average call usage over a period of time, and said 
comparison means compares said average call usage to said 
threshold. 

50. A telecommunication fraud detection apparatus 
according to Claim 44, wherein said information relating to 
said subscriber-specific pattern of historical call usage 
includes information relating to a high of call usage, the 
current call usage includes an average call usage over a 
period of time, and said comparison means compares said 
average call usage to said information relating to a high 



of call usage. 

51. An apparatus, as claimed in Claim 43, wherein: 
said analysis means includes means for determining if 

two or more calls are one of the following: substantially 

simultaneously overlapped and overlapped after taking into 

account geographic dispersion. 
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52- An apparatus, as claimed in Claim 43, wherein: 
said analysis means includes means for comparing call 

destination information from said call information record 

to a predetermined call destination information- 
5 53* An apparatus, as claimed in Claim 43, wherein: 

said analysis means includes means for determining if 

the particular subscriber has exceeded a credit limit for 

said particular subscriber. 
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